Microsoft Defender XDR Gets New AI Features to Enhance SOC Operations

At the Secure 2025 cybersecurity conference, Microsoft announced a range of updates for its Defender XDR platform, aiming to enhance threat detection and response. The first new AI-powered feature that the company highlighted today is the new Microsoft Security Copilot Phishing Triage Agent in the Defender Portal.

According to Microsoft, 90 percent of the emails reported as phishing are actually harmless, and it can take security analysts up to 30 minutes to review and determine that these emails are not threats. The new phishing triage agent is designed to boost the productivity of SOC analysts by helping them manage and prioritize user-reported phishing emails. It leverages Large Language Models (LLMs) to perform sophisticated assessments and then autonomously decide if an email is a real phishing threat or a false positive.

“Powered by continuous learning capabilities, the agent adapts to the organization’s unique threat landscape based on analyst feedback. Each piece of input enhances its decision-making, enabling it to refine its triage actions over time. Additionally, the agent provides natural language explanations for its verdicts, along with a visual representation of its reasoning process,” Microsoft explained.

Microsoft Purview Data Security Investigations (DSI)

Security teams often face challenges in determining the extent and type of data affected during a security incident. Without a clear understanding of the data impact, prioritizing incidents that require immediate attention and resources becomes difficult.

To address this issue, Microsoft has introduced Purview Data Security Investigations (DSI), accessible directly from the incident graph within Microsoft Defender XDR. Microsoft Purview DSI accelerates the process of examining data related to security incidents, such as emails, files, and messages. It utilizes AI to thoroughly analyze content and identify key security risks and sensitive data.

Microsoft Security Exposure Management adds OAuth app insights

Over the past few years, Microsoft observed that cybercriminals are increasingly OAuth applications to gain unauthorized access to business data in Microsoft 365 apps. Microsoft is enhancing security by integrating OAuth apps into Microsoft Security Exposure Management.

This new integration allows security teams to visualize and remediate attack paths involving high-privilege OAuth applications that access Microsoft 365 SaaS apps. It also helps to prioritize critical exposure points and leverage Advanced Hunting capabilities to investigate attack surface connections from user apps to OAuth apps.

Collaboration security for Microsoft Teams

Microsoft has also announced today the general availability of collaboration security for Microsoft Teams. This feature lets administrators offer inline protection against malicious URLs, safe attachments, brand impersonation protection, and more.

New automatic attack disruption capabilities

The Automatic attack disruption feature uses multi-domain signals, threat intelligence, and AI to anticipate and block attackers’ moves. Recent updates include threat intelligence-based disruption and expansion to OAuth apps. This feature includes a self-learning architecture that monitors extensive data sources, learns from past events, and disrupts attacks earlier and more effectively.

Comprehensive Threat Analytics

Last but not least, Microsoft announced that the full suite of Threat Analytics features is now available across all Microsoft Intelligence reports. Security teams can Investigate past threats using expired Indicators of Compromise (IOCs) for remediation and proactive hunting. Moreover, they can develop detections based on specific threat techniques to block and alert on tactics beyond IOCs. It’s also possible to tailor threat analysis by filtering threats according to industry.